This legislation, titled the "Online Privacy Act of 2026," aims to establish robust individual privacy rights and impose stringent data handling requirements on entities that collect, process, or maintain personal information. It defines "personal information" broadly to include any data linked or reasonably linkable to an individual or device, and introduces the concept of "privacy harm" to encompass various adverse consequences from data misuse. The bill also criminalizes "doxxing," the intentional disclosure of personal information with intent to cause harm, and limits government entities from disclosing nonredacted personal records without consent. Title I grants individuals several key rights, including the right of access to their data, who it's shared with, and for what purpose. Individuals also gain the right of correction for inaccurate information, the right of deletion of their data, and the right of portability to download or transfer their information to other entities. Furthermore, it establishes a right to human review for automated decisions causing significant privacy harms and a right to individual autonomy , requiring express consent for behavioral personalization with options for non-personalized services. The bill also introduces a right to be informed when data is collected without an existing relationship and a right to impermanence , requiring consent for data retention durations. Title II outlines extensive requirements for covered entities, emphasizing data minimization , meaning entities can only collect, process, maintain, and disclose personal information that is reasonably needed for a requested product or service and for its original purpose. It mandates consent for disclosing personal information to third parties and specific identity disclosure for data sales, with exceptions for privacy-preserving computing and de-identified data. The bill prohibits the use of "dark patterns" in notice and consent processes and requires clear, concise privacy policies that meet Director-established thresholds for understanding. Crucially, the legislation restricts the collection, processing, and disclosure of communication contents and prohibits discriminatory processing of personal information based on protected class status. It also sets forth detailed information security requirements, including public security policies, vulnerability assessments, and data disposal processes. Covered entities must notify the Digital Privacy Agency, other affected entities, and individuals of data breaches or data-sharing abuses within strict timelines. To enforce these provisions, Title III establishes the independent Digital Privacy Agency (DPA) , led by a Director appointed by the President and confirmed by the Senate for a six-year term. The DPA is granted broad powers, including rulemaking authority, the ability to conduct investigations, and the establishment of an Office of Civil Rights to ensure fair and non-discriminatory data practices. The DPA will also manage a centralized complaint system for individuals and receive substantial annual appropriations to carry out its mission. Title IV details robust enforcement mechanisms, allowing the DPA to conduct investigations, issue subpoenas, and initiate civil actions for injunctions and civil penalties. States, through their attorneys general or privacy regulators, can also bring civil actions on behalf of their residents. Significantly, the bill creates a private right of action , enabling individuals to seek declaratory or injunctive relief and damages for violations, and includes provisions for whistleblower enforcement. The legislation clarifies that it does not supersede existing federal privacy laws but preempts inconsistent state laws unless the state law offers greater protection.